| Message ID | d253919c-f547-54b2-f2ab-98f1068f5ce7@googlemail.com |
|---|---|
| State | Accepted |
| Headers | show |
On Fri, Jan 06, 2017 at 08:48:02PM +0100, Andreas Cadhalpun wrote: > Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> > --- > libavformat/genh.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/libavformat/genh.c b/libavformat/genh.c > index b683e026d1..6ce2588ed3 100644 > --- a/libavformat/genh.c > +++ b/libavformat/genh.c > @@ -74,6 +74,7 @@ static int genh_read_header(AVFormatContext *s) > case 0: st->codecpar->codec_id = AV_CODEC_ID_ADPCM_PSX; break; > case 1: > case 11: st->codecpar->bits_per_coded_sample = 4; > + FF_RETURN_ON_OVERFLOW(s, st->codecpar->channels > INT_MAX / 36) > st->codecpar->block_align = 36 * st->codecpar->channels; > st->codecpar->codec_id = AV_CODEC_ID_ADPCM_IMA_WAV; break; > case 2: st->codecpar->codec_id = AV_CODEC_ID_ADPCM_DTK; break; i see a channels * 1024 in genh_read_packet() is the added check sufficient ? also i think we should ask for a sample for a file that has a channel count beyond normal bounds [...]
On 1/7/17, Michael Niedermayer <michael@niedermayer.cc> wrote: > On Fri, Jan 06, 2017 at 08:48:02PM +0100, Andreas Cadhalpun wrote: >> Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> >> --- >> libavformat/genh.c | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/libavformat/genh.c b/libavformat/genh.c >> index b683e026d1..6ce2588ed3 100644 >> --- a/libavformat/genh.c >> +++ b/libavformat/genh.c >> @@ -74,6 +74,7 @@ static int genh_read_header(AVFormatContext *s) >> case 0: st->codecpar->codec_id = AV_CODEC_ID_ADPCM_PSX; >> break; >> case 1: >> case 11: st->codecpar->bits_per_coded_sample = 4; >> + FF_RETURN_ON_OVERFLOW(s, st->codecpar->channels > INT_MAX / >> 36) >> st->codecpar->block_align = 36 * st->codecpar->channels; >> st->codecpar->codec_id = AV_CODEC_ID_ADPCM_IMA_WAV; >> break; >> case 2: st->codecpar->codec_id = AV_CODEC_ID_ADPCM_DTK; >> break; > > i see a channels * 1024 in genh_read_packet() > is the added check sufficient ? > > also i think we should ask for a sample for a file that has a > channel count beyond normal bounds No, we should not as such samples are invalid.
Hi, On Fri, Jan 6, 2017 at 8:43 PM, Michael Niedermayer <michael@niedermayer.cc> wrote: > On Fri, Jan 06, 2017 at 08:48:02PM +0100, Andreas Cadhalpun wrote: > > Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> > > --- > > libavformat/genh.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/libavformat/genh.c b/libavformat/genh.c > > index b683e026d1..6ce2588ed3 100644 > > --- a/libavformat/genh.c > > +++ b/libavformat/genh.c > > @@ -74,6 +74,7 @@ static int genh_read_header(AVFormatContext *s) > > case 0: st->codecpar->codec_id = AV_CODEC_ID_ADPCM_PSX; > break; > > case 1: > > case 11: st->codecpar->bits_per_coded_sample = 4; > > + FF_RETURN_ON_OVERFLOW(s, st->codecpar->channels > INT_MAX > / 36) > > st->codecpar->block_align = 36 * st->codecpar->channels; > > st->codecpar->codec_id = AV_CODEC_ID_ADPCM_IMA_WAV; > break; > > case 2: st->codecpar->codec_id = AV_CODEC_ID_ADPCM_DTK; > break; > > i see a channels * 1024 in genh_read_packet() > is the added check sufficient ? > > also i think we should ask for a sample for a file that has a > channel count beyond normal bounds Not in this code. Such generic channel sanity checks belong in utils.c, not here, and should not be invoked by the demuxer explicitly, but always run as integral part of read_header or add_stream or so. Ronald
diff --git a/libavformat/genh.c b/libavformat/genh.c index b683e026d1..6ce2588ed3 100644 --- a/libavformat/genh.c +++ b/libavformat/genh.c @@ -74,6 +74,7 @@ static int genh_read_header(AVFormatContext *s) case 0: st->codecpar->codec_id = AV_CODEC_ID_ADPCM_PSX; break; case 1: case 11: st->codecpar->bits_per_coded_sample = 4; + FF_RETURN_ON_OVERFLOW(s, st->codecpar->channels > INT_MAX / 36) st->codecpar->block_align = 36 * st->codecpar->channels; st->codecpar->codec_id = AV_CODEC_ID_ADPCM_IMA_WAV; break; case 2: st->codecpar->codec_id = AV_CODEC_ID_ADPCM_DTK; break;
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun@googlemail.com> --- libavformat/genh.c | 1 + 1 file changed, 1 insertion(+)